npm - @serve.zone/dcrouter - Versions diffs - 11.14.0 → 11.16.0 - Mend

@serve.zone/dcrouter 11.14.0 → 11.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (207) hide show

package/dist_serve/bundle.js +5 -9
package/dist_ts/00_commitinfo_data.d.ts +8 -0
package/dist_ts/00_commitinfo_data.js +9 -0
package/dist_ts/cache/classes.cache.cleaner.d.ts +47 -0
package/dist_ts/cache/classes.cache.cleaner.js +130 -0
package/dist_ts/cache/classes.cached.document.d.ts +76 -0
package/dist_ts/cache/classes.cached.document.js +100 -0
package/dist_ts/cache/classes.cachedb.d.ts +60 -0
package/dist_ts/cache/classes.cachedb.js +126 -0
package/dist_ts/cache/documents/classes.cached.email.d.ts +125 -0
package/dist_ts/cache/documents/classes.cached.email.js +337 -0
package/dist_ts/cache/documents/classes.cached.ip.reputation.d.ts +119 -0
package/dist_ts/cache/documents/classes.cached.ip.reputation.js +323 -0
package/dist_ts/cache/documents/index.d.ts +2 -0
package/dist_ts/cache/documents/index.js +3 -0
package/dist_ts/cache/index.d.ts +4 -0
package/dist_ts/cache/index.js +7 -0
package/dist_ts/classes.cert-provision-scheduler.d.ts +54 -0
package/dist_ts/classes.cert-provision-scheduler.js +118 -0
package/dist_ts/classes.dcrouter.d.ts +399 -0
package/dist_ts/classes.dcrouter.js +1697 -0
package/dist_ts/classes.storage-cert-manager.d.ts +18 -0
package/dist_ts/classes.storage-cert-manager.js +43 -0
package/dist_ts/config/classes.api-token-manager.d.ts +46 -0
package/dist_ts/config/classes.api-token-manager.js +150 -0
package/dist_ts/config/classes.route-config-manager.d.ts +38 -0
package/dist_ts/config/classes.route-config-manager.js +257 -0
package/dist_ts/config/index.d.ts +3 -0
package/dist_ts/config/index.js +5 -0
package/dist_ts/config/validator.d.ts +104 -0
package/dist_ts/config/validator.js +152 -0
package/dist_ts/errors/base.errors.d.ts +224 -0
package/dist_ts/errors/base.errors.js +320 -0
package/dist_ts/errors/error-handler.d.ts +98 -0
package/dist_ts/errors/error-handler.js +282 -0
package/dist_ts/errors/error.codes.d.ts +115 -0
package/dist_ts/errors/error.codes.js +136 -0
package/dist_ts/errors/index.d.ts +54 -0
package/dist_ts/errors/index.js +136 -0
package/dist_ts/errors/reputation.errors.d.ts +183 -0
package/dist_ts/errors/reputation.errors.js +292 -0
package/dist_ts/http3/http3-route-augmentation.d.ts +50 -0
package/dist_ts/http3/http3-route-augmentation.js +98 -0
package/dist_ts/http3/index.d.ts +1 -0
package/dist_ts/http3/index.js +2 -0
package/dist_ts/index.d.ts +8 -0
package/dist_ts/index.js +29 -0
package/dist_ts/logger.d.ts +21 -0
package/dist_ts/logger.js +81 -0
package/dist_ts/monitoring/classes.metricscache.d.ts +32 -0
package/dist_ts/monitoring/classes.metricscache.js +63 -0
package/dist_ts/monitoring/classes.metricsmanager.d.ts +184 -0
package/dist_ts/monitoring/classes.metricsmanager.js +744 -0
package/dist_ts/monitoring/index.d.ts +1 -0
package/dist_ts/monitoring/index.js +2 -0
package/dist_ts/opsserver/classes.opsserver.d.ts +38 -0
package/dist_ts/opsserver/classes.opsserver.js +87 -0
package/dist_ts/opsserver/handlers/admin.handler.d.ts +31 -0
package/dist_ts/opsserver/handlers/admin.handler.js +180 -0
package/dist_ts/opsserver/handlers/api-token.handler.d.ts +6 -0
package/dist_ts/opsserver/handlers/api-token.handler.js +62 -0
package/dist_ts/opsserver/handlers/certificate.handler.d.ts +32 -0
package/dist_ts/opsserver/handlers/certificate.handler.js +421 -0
package/dist_ts/opsserver/handlers/config.handler.d.ts +7 -0
package/dist_ts/opsserver/handlers/config.handler.js +192 -0
package/dist_ts/opsserver/handlers/email-ops.handler.d.ts +30 -0
package/dist_ts/opsserver/handlers/email-ops.handler.js +227 -0
package/dist_ts/opsserver/handlers/index.d.ts +12 -0
package/dist_ts/opsserver/handlers/index.js +13 -0
package/dist_ts/opsserver/handlers/logs.handler.d.ts +25 -0
package/dist_ts/opsserver/handlers/logs.handler.js +256 -0
package/dist_ts/opsserver/handlers/radius.handler.d.ts +6 -0
package/dist_ts/opsserver/handlers/radius.handler.js +295 -0
package/dist_ts/opsserver/handlers/remoteingress.handler.d.ts +6 -0
package/dist_ts/opsserver/handlers/remoteingress.handler.js +156 -0
package/dist_ts/opsserver/handlers/route-management.handler.d.ts +14 -0
package/dist_ts/opsserver/handlers/route-management.handler.js +117 -0
package/dist_ts/opsserver/handlers/security.handler.d.ts +9 -0
package/dist_ts/opsserver/handlers/security.handler.js +233 -0
package/dist_ts/opsserver/handlers/stats.handler.d.ts +11 -0
package/dist_ts/opsserver/handlers/stats.handler.js +403 -0
package/dist_ts/opsserver/handlers/vpn.handler.d.ts +6 -0
package/dist_ts/opsserver/handlers/vpn.handler.js +197 -0
package/dist_ts/opsserver/helpers/guards.d.ts +27 -0
package/dist_ts/opsserver/helpers/guards.js +43 -0
package/dist_ts/opsserver/index.d.ts +1 -0
package/dist_ts/opsserver/index.js +2 -0
package/dist_ts/paths.d.ts +26 -0
package/dist_ts/paths.js +45 -0
package/dist_ts/plugins.d.ts +81 -0
package/dist_ts/plugins.js +115 -0
package/dist_ts/radius/classes.accounting.manager.d.ts +231 -0
package/dist_ts/radius/classes.accounting.manager.js +462 -0
package/dist_ts/radius/classes.radius.server.d.ts +171 -0
package/dist_ts/radius/classes.radius.server.js +386 -0
package/dist_ts/radius/classes.vlan.manager.d.ts +128 -0
package/dist_ts/radius/classes.vlan.manager.js +279 -0
package/dist_ts/radius/index.d.ts +13 -0
package/dist_ts/radius/index.js +14 -0
package/dist_ts/remoteingress/classes.remoteingress-manager.d.ts +94 -0
package/dist_ts/remoteingress/classes.remoteingress-manager.js +271 -0
package/dist_ts/remoteingress/classes.tunnel-manager.d.ts +59 -0
package/dist_ts/remoteingress/classes.tunnel-manager.js +165 -0
package/dist_ts/remoteingress/index.d.ts +2 -0
package/dist_ts/remoteingress/index.js +3 -0
package/dist_ts/security/classes.contentscanner.d.ts +164 -0
package/dist_ts/security/classes.contentscanner.js +642 -0
package/dist_ts/security/classes.ipreputationchecker.d.ts +160 -0
package/dist_ts/security/classes.ipreputationchecker.js +537 -0
package/dist_ts/security/classes.securitylogger.d.ts +144 -0
package/dist_ts/security/classes.securitylogger.js +235 -0
package/dist_ts/security/index.d.ts +3 -0
package/dist_ts/security/index.js +4 -0
package/dist_ts/sms/classes.smsservice.d.ts +15 -0
package/dist_ts/sms/classes.smsservice.js +72 -0
package/dist_ts/sms/config/sms.config.d.ts +93 -0
package/dist_ts/sms/config/sms.config.js +2 -0
package/dist_ts/sms/config/sms.schema.d.ts +5 -0
package/dist_ts/sms/config/sms.schema.js +121 -0
package/dist_ts/sms/index.d.ts +1 -0
package/dist_ts/sms/index.js +2 -0
package/dist_ts/storage/classes.storagemanager.d.ts +83 -0
package/dist_ts/storage/classes.storagemanager.js +348 -0
package/dist_ts/storage/index.d.ts +1 -0
package/dist_ts/storage/index.js +3 -0
package/dist_ts/vpn/classes.vpn-manager.d.ts +129 -0
package/dist_ts/vpn/classes.vpn-manager.js +329 -0
package/dist_ts/vpn/index.d.ts +1 -0
package/dist_ts/vpn/index.js +2 -0
package/dist_ts_apiclient/classes.apitoken.d.ts +41 -0
package/dist_ts_apiclient/classes.apitoken.js +115 -0
package/dist_ts_apiclient/classes.certificate.d.ts +57 -0
package/dist_ts_apiclient/classes.certificate.js +69 -0
package/dist_ts_apiclient/classes.config.d.ts +7 -0
package/dist_ts_apiclient/classes.config.js +11 -0
package/dist_ts_apiclient/classes.dcrouterapiclient.d.ts +41 -0
package/dist_ts_apiclient/classes.dcrouterapiclient.js +81 -0
package/dist_ts_apiclient/classes.email.d.ts +30 -0
package/dist_ts_apiclient/classes.email.js +52 -0
package/dist_ts_apiclient/classes.logs.d.ts +21 -0
package/dist_ts_apiclient/classes.logs.js +14 -0
package/dist_ts_apiclient/classes.radius.d.ts +59 -0
package/dist_ts_apiclient/classes.radius.js +95 -0
package/dist_ts_apiclient/classes.remoteingress.d.ts +54 -0
package/dist_ts_apiclient/classes.remoteingress.js +136 -0
package/dist_ts_apiclient/classes.route.d.ts +42 -0
package/dist_ts_apiclient/classes.route.js +154 -0
package/dist_ts_apiclient/classes.stats.d.ts +47 -0
package/dist_ts_apiclient/classes.stats.js +38 -0
package/dist_ts_apiclient/index.d.ts +10 -0
package/dist_ts_apiclient/index.js +14 -0
package/dist_ts_apiclient/plugins.d.ts +3 -0
package/dist_ts_apiclient/plugins.js +5 -0
package/dist_ts_interfaces/data/remoteingress.d.ts +2 -0
package/dist_ts_interfaces/data/vpn.d.ts +1 -2
package/dist_ts_interfaces/requests/vpn.d.ts +1 -1
package/dist_ts_web/00_commitinfo_data.d.ts +8 -0
package/dist_ts_web/00_commitinfo_data.js +9 -0
package/dist_ts_web/appstate.d.ts +238 -0
package/dist_ts_web/appstate.js +1174 -0
package/dist_ts_web/elements/index.d.ts +13 -0
package/dist_ts_web/elements/index.js +14 -0
package/dist_ts_web/elements/ops-dashboard.d.ts +23 -0
package/dist_ts_web/elements/ops-dashboard.js +323 -0
package/dist_ts_web/elements/ops-view-apitokens.d.ts +13 -0
package/dist_ts_web/elements/ops-view-apitokens.js +371 -0
package/dist_ts_web/elements/ops-view-certificates.d.ts +22 -0
package/dist_ts_web/elements/ops-view-certificates.js +528 -0
package/dist_ts_web/elements/ops-view-config.d.ts +19 -0
package/dist_ts_web/elements/ops-view-config.js +339 -0
package/dist_ts_web/elements/ops-view-emails.d.ts +21 -0
package/dist_ts_web/elements/ops-view-emails.js +165 -0
package/dist_ts_web/elements/ops-view-logs.d.ts +13 -0
package/dist_ts_web/elements/ops-view-logs.js +159 -0
package/dist_ts_web/elements/ops-view-network.d.ts +71 -0
package/dist_ts_web/elements/ops-view-network.js +764 -0
package/dist_ts_web/elements/ops-view-overview.d.ts +22 -0
package/dist_ts_web/elements/ops-view-overview.js +456 -0
package/dist_ts_web/elements/ops-view-remoteingress.d.ts +20 -0
package/dist_ts_web/elements/ops-view-remoteingress.js +494 -0
package/dist_ts_web/elements/ops-view-routes.d.ts +12 -0
package/dist_ts_web/elements/ops-view-routes.js +404 -0
package/dist_ts_web/elements/ops-view-security.d.ts +21 -0
package/dist_ts_web/elements/ops-view-security.js +574 -0
package/dist_ts_web/elements/ops-view-vpn.d.ts +14 -0
package/dist_ts_web/elements/ops-view-vpn.js +365 -0
package/dist_ts_web/elements/shared/css.d.ts +1 -0
package/dist_ts_web/elements/shared/css.js +10 -0
package/dist_ts_web/elements/shared/index.d.ts +2 -0
package/dist_ts_web/elements/shared/index.js +3 -0
package/dist_ts_web/elements/shared/ops-sectionheading.d.ts +5 -0
package/dist_ts_web/elements/shared/ops-sectionheading.js +82 -0
package/dist_ts_web/index.d.ts +1 -0
package/dist_ts_web/index.js +10 -0
package/dist_ts_web/plugins.d.ts +6 -0
package/dist_ts_web/plugins.js +11 -0
package/dist_ts_web/router.d.ts +19 -0
package/dist_ts_web/router.js +91 -0
package/package.json +2 -2
package/ts/00_commitinfo_data.ts +1 -1
package/ts/classes.dcrouter.ts +51 -20
package/ts/config/classes.route-config-manager.ts +7 -6
package/ts/opsserver/handlers/vpn.handler.ts +3 -5
package/ts/vpn/classes.vpn-manager.ts +68 -19
package/ts_web/00_commitinfo_data.ts +1 -1
package/ts_web/appstate.ts +2 -2
package/ts_web/elements/ops-view-vpn.ts +5 -9

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@serve.zone/dcrouter",
   "private": false,
-  "version": "11.14.0",
+  "version": "11.16.0",
   "description": "A multifaceted routing service handling mail and SMS delivery functions.",
   "type": "module",
   "exports": {
@@ -59,7 +59,7 @@
     "@push.rocks/smartrx": "^3.0.10",
     "@push.rocks/smartstate": "^2.3.0",
     "@push.rocks/smartunique": "^3.0.9",
-    "@push.rocks/smartvpn": "1.12.0",
+    "@push.rocks/smartvpn": "1.14.0",
     "@push.rocks/taskbuffer": "^8.0.2",
     "@serve.zone/catalog": "^2.9.0",
     "@serve.zone/interfaces": "^5.3.0",

package/ts/00_commitinfo_data.ts CHANGED Viewed

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.14.0',
+  version: '11.16.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts/classes.dcrouter.ts CHANGED Viewed

@@ -206,8 +206,21 @@ export interface IDcRouterOptions {
     dns?: string[];
     /** Server endpoint hostname for client configs (e.g. 'vpn.example.com') */
     serverEndpoint?: string;
-    /** Override forwarding mode. Default: auto-detect (tun if root, socket otherwise) */
-    forwardingMode?: 'tun' | 'socket';
+    /** Pre-defined VPN clients created on startup */
+    clients?: Array<{
+      clientId: string;
+      serverDefinedClientTags?: string[];
+      description?: string;
+    }>;
+    /** Destination routing policy for VPN client traffic.
+     *  Default in socket mode: { default: 'forceTarget', target: '127.0.0.1' } (all traffic → SmartProxy).
+     *  Default in tun mode: not set (all traffic passes through). */
+    destinationPolicy?: {
+      default: 'forceTarget' | 'block' | 'allow';
+      target?: string;
+      allowList?: string[];
+      blockList?: string[];
+    };
   };
 }
@@ -453,7 +466,14 @@ export class DcRouter {
             () => this.getConstructorRoutes(),
             () => this.smartProxy,
             () => this.options.http3,
-            () => this.options.vpnConfig?.enabled ? (this.options.vpnConfig.subnet || '10.8.0.0/24') : undefined,
+            this.options.vpnConfig?.enabled
+              ? (tags?: string[]) => {
+                  if (tags?.length && this.vpnManager) {
+                    return this.vpnManager.getClientIpsForServerDefinedTags(tags);
+                  }
+                  return [this.options.vpnConfig?.subnet || '10.8.0.0/24'];
+                }
+              : undefined,
           );
           this.apiTokenManager = new ApiTokenManager(this.storageManager);
           await this.apiTokenManager.initialize();
@@ -664,9 +684,8 @@ export class DcRouter {
     if (this.vpnManager && this.options.vpnConfig?.enabled) {
       const subnet = this.vpnManager.getSubnet();
       const wgPort = this.options.vpnConfig.wgListenPort ?? 51820;
-      const mode = this.vpnManager.forwardingMode;
       const clientCount = this.vpnManager.listClients().length;
-      logger.log('info', `VPN Service: mode=${mode}, subnet=${subnet}, wg=:${wgPort}, clients=${clientCount}`);
+      logger.log('info', `VPN Service: subnet=${subnet}, wg=:${wgPort}, clients=${clientCount}`);
     }
     // Remote Ingress summary
@@ -950,19 +969,14 @@ export class DcRouter {
         smartProxyConfig.proxyIPs = ['127.0.0.1'];
       }
-      // When VPN is in socket mode, the userspace NAT engine sends PP v2 headers
-      // on outbound connections to SmartProxy to preserve VPN client tunnel IPs.
+      // VPN uses socket mode with PP v2 — SmartProxy must accept proxy protocol from localhost
       if (this.options.vpnConfig?.enabled) {
-        const vpnForwardingMode = this.options.vpnConfig.forwardingMode
-          ?? (process.getuid?.() === 0 ? 'tun' : 'socket');
-        if (vpnForwardingMode === 'socket') {
-          smartProxyConfig.acceptProxyProtocol = true;
-          if (!smartProxyConfig.proxyIPs) {
-            smartProxyConfig.proxyIPs = [];
-          }
-          if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
-            smartProxyConfig.proxyIPs.push('127.0.0.1');
-          }
+        smartProxyConfig.acceptProxyProtocol = true;
+        if (!smartProxyConfig.proxyIPs) {
+          smartProxyConfig.proxyIPs = [];
+        }
+        if (!smartProxyConfig.proxyIPs.includes('127.0.0.1')) {
+          smartProxyConfig.proxyIPs.push('127.0.0.1');
         }
       }
@@ -2085,7 +2099,12 @@ export class DcRouter {
       wgListenPort: this.options.vpnConfig.wgListenPort,
       dns: this.options.vpnConfig.dns,
       serverEndpoint: this.options.vpnConfig.serverEndpoint,
-      forwardingMode: this.options.vpnConfig.forwardingMode,
+      initialClients: this.options.vpnConfig.clients,
+      destinationPolicy: this.options.vpnConfig.destinationPolicy,
+      onClientChanged: () => {
+        // Re-apply routes so tag-based ipAllowLists get updated
+        this.routeConfigManager?.applyRoutes();
+      },
     });
     await this.vpnManager.start();
@@ -2104,11 +2123,23 @@ export class DcRouter {
       if (dcrouterRoute.vpn?.required) {
         injectedCount++;
         const existing = route.security?.ipAllowList || [];
+        let vpnAllowList: string[];
+        if (dcrouterRoute.vpn.allowedServerDefinedClientTags?.length && this.vpnManager) {
+          // Tag-based: only specific client IPs
+          vpnAllowList = this.vpnManager.getClientIpsForServerDefinedTags(
+            dcrouterRoute.vpn.allowedServerDefinedClientTags,
+          );
+        } else {
+          // No tags specified: entire VPN subnet
+          vpnAllowList = [vpnSubnet];
+        }
         return {
           ...route,
           security: {
             ...route.security,
-            ipAllowList: [...existing, vpnSubnet],
+            ipAllowList: [...existing, ...vpnAllowList],
           },
         };
       }
@@ -2116,7 +2147,7 @@ export class DcRouter {
     });
     if (injectedCount > 0) {
-      logger.log('info', `VPN: Injected ipAllowList (${vpnSubnet}) into ${injectedCount} VPN-protected route(s)`);
+      logger.log('info', `VPN: Injected ipAllowList into ${injectedCount} VPN-protected route(s)`);
     }
     return result;

package/ts/config/classes.route-config-manager.ts CHANGED Viewed

@@ -23,7 +23,7 @@ export class RouteConfigManager {
     private getHardcodedRoutes: () => plugins.smartproxy.IRouteConfig[],
     private getSmartProxy: () => plugins.smartproxy.SmartProxy | undefined,
     private getHttp3Config?: () => IHttp3Config | undefined,
-    private getVpnSubnet?: () => string | undefined,
+    private getVpnAllowList?: (tags?: string[]) => string[],
   ) {}
   /**
@@ -246,7 +246,7 @@ export class RouteConfigManager {
   // Private: apply merged routes to SmartProxy
   // =========================================================================
-  private async applyRoutes(): Promise<void> {
+  public async applyRoutes(): Promise<void> {
     const smartProxy = this.getSmartProxy();
     if (!smartProxy) return;
@@ -262,9 +262,9 @@ export class RouteConfigManager {
       enabledRoutes.push(route);
     }
-    // Add enabled programmatic routes (with HTTP/3 augmentation if enabled)
+    // Add enabled programmatic routes (with HTTP/3 and VPN augmentation)
     const http3Config = this.getHttp3Config?.();
-    const vpnSubnet = this.getVpnSubnet?.();
+    const vpnAllowList = this.getVpnAllowList;
     for (const stored of this.storedRoutes.values()) {
       if (stored.enabled) {
         let route = stored.route;
@@ -272,15 +272,16 @@ export class RouteConfigManager {
           route = augmentRouteWithHttp3(route, { enabled: true, ...http3Config });
         }
         // Inject VPN security for programmatic routes with vpn.required
-        if (vpnSubnet) {
+        if (vpnAllowList) {
           const dcRoute = route as IDcRouterRouteConfig;
           if (dcRoute.vpn?.required) {
             const existing = route.security?.ipAllowList || [];
+            const allowList = vpnAllowList(dcRoute.vpn.allowedServerDefinedClientTags);
             route = {
               ...route,
               security: {
                 ...route.security,
-                ipAllowList: [...existing, vpnSubnet],
+                ipAllowList: [...existing, ...allowList],
               },
             };
           }

package/ts/opsserver/handlers/vpn.handler.ts CHANGED Viewed

@@ -25,7 +25,7 @@ export class VpnHandler {
           const clients = manager.listClients().map((c) => ({
             clientId: c.clientId,
             enabled: c.enabled,
-            tags: c.tags,
+            serverDefinedClientTags: c.serverDefinedClientTags,
             description: c.description,
             assignedIp: c.assignedIp,
             createdAt: c.createdAt,
@@ -48,7 +48,6 @@ export class VpnHandler {
             return {
               status: {
                 running: false,
-                forwardingMode: 'socket' as const,
                 subnet: vpnConfig?.subnet || '10.8.0.0/24',
                 wgListenPort: vpnConfig?.wgListenPort ?? 51820,
                 serverPublicKeys: null,
@@ -62,7 +61,6 @@ export class VpnHandler {
           return {
             status: {
               running: manager.running,
-              forwardingMode: manager.forwardingMode,
               subnet: manager.getSubnet(),
               wgListenPort: vpnConfig?.wgListenPort ?? 51820,
               serverPublicKeys: manager.getServerPublicKeys(),
@@ -89,7 +87,7 @@ export class VpnHandler {
           try {
             const bundle = await manager.createClient({
               clientId: dataArg.clientId,
-              tags: dataArg.tags,
+              serverDefinedClientTags: dataArg.serverDefinedClientTags,
               description: dataArg.description,
             });
@@ -98,7 +96,7 @@ export class VpnHandler {
               client: {
                 clientId: bundle.entry.clientId,
                 enabled: bundle.entry.enabled ?? true,
-                tags: bundle.entry.tags,
+                serverDefinedClientTags: bundle.entry.serverDefinedClientTags,
                 description: bundle.entry.description,
                 assignedIp: bundle.entry.assignedIp,
                 createdAt: Date.now(),

package/ts/vpn/classes.vpn-manager.ts CHANGED Viewed

@@ -14,8 +14,21 @@ export interface IVpnManagerConfig {
   dns?: string[];
   /** Server endpoint hostname for client configs (e.g. 'vpn.example.com') */
   serverEndpoint?: string;
-  /** Override forwarding mode. Default: auto-detect (tun if root, socket otherwise) */
-  forwardingMode?: 'tun' | 'socket';
+  /** Pre-defined VPN clients created on startup (idempotent — skips already-persisted clients) */
+  initialClients?: Array<{
+    clientId: string;
+    serverDefinedClientTags?: string[];
+    description?: string;
+  }>;
+  /** Called when clients are created/deleted/toggled — triggers route re-application */
+  onClientChanged?: () => void;
+  /** Destination routing policy override. Default: forceTarget to 127.0.0.1 */
+  destinationPolicy?: {
+    default: 'forceTarget' | 'block' | 'allow';
+    target?: string;
+    allowList?: string[];
+    blockList?: string[];
+  };
 }
 interface IPersistedServerKeys {
@@ -28,7 +41,7 @@ interface IPersistedServerKeys {
 interface IPersistedClient {
   clientId: string;
   enabled: boolean;
-  tags?: string[];
+  serverDefinedClientTags?: string[];
   description?: string;
   assignedIp?: string;
   noisePublicKey: string;
@@ -36,6 +49,8 @@ interface IPersistedClient {
   createdAt: number;
   updatedAt: number;
   expiresAt?: string;
+  /** @deprecated Legacy field — migrated to serverDefinedClientTags on load */
+  tags?: string[];
 }
 /**
@@ -48,19 +63,10 @@ export class VpnManager {
   private vpnServer?: plugins.smartvpn.VpnServer;
   private clients: Map<string, IPersistedClient> = new Map();
   private serverKeys?: IPersistedServerKeys;
-  private _forwardingMode: 'tun' | 'socket';
   constructor(storageManager: StorageManager, config: IVpnManagerConfig) {
     this.storageManager = storageManager;
     this.config = config;
-    // Auto-detect forwarding mode: tun if root, socket otherwise
-    this._forwardingMode = config.forwardingMode
-      ?? (process.getuid?.() === 0 ? 'tun' : 'socket');
-  }
-  /** The effective forwarding mode (tun or socket). */
-  public get forwardingMode(): 'tun' | 'socket' {
-    return this._forwardingMode;
   }
   /** The VPN subnet CIDR. */
@@ -92,7 +98,7 @@ export class VpnManager {
         publicKey: client.noisePublicKey,
         wgPublicKey: client.wgPublicKey,
         enabled: client.enabled,
-        tags: client.tags,
+        serverDefinedClientTags: client.serverDefinedClientTags,
         description: client.description,
         assignedIp: client.assignedIp,
         expiresAt: client.expiresAt,
@@ -113,16 +119,33 @@ export class VpnManager {
       publicKey: this.serverKeys.noisePublicKey,
       subnet,
       dns: this.config.dns,
-      forwardingMode: this._forwardingMode,
+      forwardingMode: 'socket',
       transportMode: 'all',
       wgPrivateKey: this.serverKeys.wgPrivateKey,
       wgListenPort,
       clients: clientEntries,
-      socketForwardProxyProtocol: this._forwardingMode === 'socket',
+      socketForwardProxyProtocol: true,
+      destinationPolicy: this.config.destinationPolicy
+        ?? { default: 'forceTarget' as const, target: '127.0.0.1' },
     };
     await this.vpnServer.start(serverConfig);
-    logger.log('info', `VPN server started: mode=${this._forwardingMode}, subnet=${subnet}, wg=:${wgListenPort}, clients=${this.clients.size}`);
+    // Create initial clients from config (idempotent — skip already-persisted)
+    if (this.config.initialClients) {
+      for (const initial of this.config.initialClients) {
+        if (!this.clients.has(initial.clientId)) {
+          const bundle = await this.createClient({
+            clientId: initial.clientId,
+            serverDefinedClientTags: initial.serverDefinedClientTags,
+            description: initial.description,
+          });
+          logger.log('info', `VPN: Created initial client '${initial.clientId}' (IP: ${bundle.entry.assignedIp})`);
+        }
+      }
+    }
+    logger.log('info', `VPN server started: subnet=${subnet}, wg=:${wgListenPort}, clients=${this.clients.size}`);
   }
   /**
@@ -148,7 +171,7 @@ export class VpnManager {
    */
   public async createClient(opts: {
     clientId: string;
-    tags?: string[];
+    serverDefinedClientTags?: string[];
     description?: string;
   }): Promise<plugins.smartvpn.IClientConfigBundle> {
     if (!this.vpnServer) {
@@ -157,7 +180,7 @@ export class VpnManager {
     const bundle = await this.vpnServer.createClient({
       clientId: opts.clientId,
-      tags: opts.tags,
+      serverDefinedClientTags: opts.serverDefinedClientTags,
       description: opts.description,
     });
@@ -174,7 +197,7 @@ export class VpnManager {
     const persisted: IPersistedClient = {
       clientId: bundle.entry.clientId,
       enabled: bundle.entry.enabled ?? true,
-      tags: bundle.entry.tags,
+      serverDefinedClientTags: bundle.entry.serverDefinedClientTags,
       description: bundle.entry.description,
       assignedIp: bundle.entry.assignedIp,
       noisePublicKey: bundle.entry.publicKey,
@@ -186,6 +209,7 @@ export class VpnManager {
     this.clients.set(persisted.clientId, persisted);
     await this.persistClient(persisted);
+    this.config.onClientChanged?.();
     return bundle;
   }
@@ -199,6 +223,7 @@ export class VpnManager {
     await this.vpnServer.removeClient(clientId);
     this.clients.delete(clientId);
     await this.storageManager.delete(`${STORAGE_PREFIX_CLIENTS}${clientId}`);
+    this.config.onClientChanged?.();
   }
   /**
@@ -220,6 +245,7 @@ export class VpnManager {
       client.updatedAt = Date.now();
       await this.persistClient(client);
     }
+    this.config.onClientChanged?.();
   }
   /**
@@ -234,6 +260,7 @@ export class VpnManager {
       client.updatedAt = Date.now();
       await this.persistClient(client);
     }
+    this.config.onClientChanged?.();
   }
   /**
@@ -283,6 +310,22 @@ export class VpnManager {
     return config;
   }
+  // ── Tag-based access control ───────────────────────────────────────────
+  /**
+   * Get assigned IPs for all enabled clients matching any of the given server-defined tags.
+   */
+  public getClientIpsForServerDefinedTags(tags: string[]): string[] {
+    const ips: string[] = [];
+    for (const client of this.clients.values()) {
+      if (!client.enabled || !client.assignedIp) continue;
+      if (client.serverDefinedClientTags?.some(t => tags.includes(t))) {
+        ips.push(client.assignedIp);
+      }
+    }
+    return ips;
+  }
   // ── Status and telemetry ───────────────────────────────────────────────
   /**
@@ -364,6 +407,12 @@ export class VpnManager {
     for (const key of keys) {
       const client = await this.storageManager.getJSON<IPersistedClient>(key);
       if (client) {
+        // Migrate legacy `tags` → `serverDefinedClientTags`
+        if (!client.serverDefinedClientTags && client.tags) {
+          client.serverDefinedClientTags = client.tags;
+          delete client.tags;
+          await this.persistClient(client);
+        }
         this.clients.set(client.clientId, client);
       }
     }

package/ts_web/00_commitinfo_data.ts CHANGED Viewed

@@ -3,6 +3,6 @@
  */
 export const commitinfo = {
   name: '@serve.zone/dcrouter',
-  version: '11.14.0',
+  version: '11.16.0',
   description: 'A multifaceted routing service handling mail and SMS delivery functions.'
 }

package/ts_web/appstate.ts CHANGED Viewed

@@ -974,7 +974,7 @@ export const fetchVpnAction = vpnStatePart.createAction(async (statePartArg): Pr
 export const createVpnClientAction = vpnStatePart.createAction<{
   clientId: string;
-  tags?: string[];
+  serverDefinedClientTags?: string[];
   description?: string;
 }>(async (statePartArg, dataArg, actionContext): Promise<IVpnState> => {
   const context = getActionContext();
@@ -988,7 +988,7 @@ export const createVpnClientAction = vpnStatePart.createAction<{
     const response = await request.fire({
       identity: context.identity!,
       clientId: dataArg.clientId,
-      tags: dataArg.tags,
+      serverDefinedClientTags: dataArg.serverDefinedClientTags,
       description: dataArg.description,
     });

package/ts_web/elements/ops-view-vpn.ts CHANGED Viewed

@@ -181,7 +181,7 @@ export class OpsViewVpn extends DeesElement {
         type: 'text',
         value: status?.running ? 'Running' : 'Stopped',
         icon: 'lucide:server',
-        description: status?.running ? `${status.forwardingMode} mode` : 'VPN server not running',
+        description: status?.running ? 'Active' : 'VPN server not running',
         color: status?.running ? '#10b981' : '#ef4444',
       },
     ];
@@ -232,10 +232,6 @@ export class OpsViewVpn extends DeesElement {
             <span class="infoLabel">WireGuard Port</span>
             <span class="infoValue">${status.wgListenPort}</span>
           </div>
-          <div class="infoItem">
-            <span class="infoLabel">Forwarding Mode</span>
-            <span class="infoValue">${status.forwardingMode}</span>
-          </div>
           ${status.serverPublicKeys ? html`
             <div class="infoItem">
               <span class="infoLabel">WG Public Key</span>
@@ -255,8 +251,8 @@ export class OpsViewVpn extends DeesElement {
             ? html`<span class="statusBadge enabled">enabled</span>`
             : html`<span class="statusBadge disabled">disabled</span>`,
           'VPN IP': client.assignedIp || '-',
-          'Tags': client.tags?.length
-            ? html`${client.tags.map(t => html`<span class="tagBadge">${t}</span>`)}`
+          'Tags': client.serverDefinedClientTags?.length
+            ? html`${client.serverDefinedClientTags.map(t => html`<span class="tagBadge">${t}</span>`)}`
             : '-',
           'Description': client.description || '-',
           'Created': new Date(client.createdAt).toLocaleDateString(),
@@ -312,11 +308,11 @@ export class OpsViewVpn extends DeesElement {
                 action: async (modal: any) => {
                   const form = modal.shadowRoot!.querySelector('dees-form') as any;
                   const data = await form.collectFormData();
-                  const tags = data.tags ? data.tags.split(',').map((t: string) => t.trim()).filter(Boolean) : undefined;
+                  const serverDefinedClientTags = data.tags ? data.tags.split(',').map((t: string) => t.trim()).filter(Boolean) : undefined;
                   await appstate.vpnStatePart.dispatchAction(appstate.createVpnClientAction, {
                     clientId: data.clientId,
                     description: data.description || undefined,
-                    tags,
+                    serverDefinedClientTags,
                   });
                   modal.destroy();
                 },